Random audio playing in background of PC

Discussion in 'Troubleshooting Help' started by gdshifty, Nov 27, 2011.

  1. gdshifty

    gdshifty Member

    Joined:
    Jan 30, 2007
    Messages:
    1,017
    So since yesterday my PC has become infected with something. When i boot it up, my audio WAVE meter is turned down to zero volume. So i turn it up, and then i get this random audio crap playing in the background. Its a mixture of radio station adverts, music, all sorts of shit. Task manager shows i have no web browsers open, and after doing a bit of googling I realise i have some spyware/infection.

    However, Ive googled for a couple of hours for solutions and tried a couple of things, such as Malwarebytes, and SUPERAntiSpyware, but they havent gotten rid of the problem either.

    Has anyone else encountered this problem and had success in removing whatever the fck it is?

    Cheers
     
  2. maddhatter

    maddhatter Member

    Joined:
    Jun 27, 2001
    Messages:
    4,798
    Location:
    Mackay, QLD.
    That's pretty deadly spyware lol.

    Grab a copy of hijack this, run and post log here.
     
  3. OP
    OP
    gdshifty

    gdshifty Member

    Joined:
    Jan 30, 2007
    Messages:
    1,017
    youre not kidding. Im now in safe mode. All of a sudden everything wouldnt open and all my programs closed down, including my Party Poker and i was almost in the money!!!

    Anyway, i should be able to get that log now that my web browser isnt getting redirected every 5 seconds lol.

    Fck its agressive this thing eh.
     
  4. OP
    OP
    gdshifty

    gdshifty Member

    Joined:
    Jan 30, 2007
    Messages:
    1,017
    RkU Version: 3.8.389.593, Type LE (SR2)
    ==============================================
    OS Name: Windows XP
    Version 5.1.2600 (Service Pack 3)
    Number of processors #4
    ==============================================
    >SSDT State
    ==============================================
    ==============================================
    >Shadow
    ==============================================
    ==============================================
    >Processes
    ==============================================
    0x8A6FF830 [4] System
    0x8991DDA0 [192] C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
    0x8973A818 [504] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation, CTF Loader)
    0x8A46BDA0 [552] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer)
    0x89890620 [624] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
    0x8A3B4558 [680] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager)
    0x8A244A20 [744] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
    0x8989C020 [780] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application)
    0x8A25CC88 [828] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app)
    0x8A266A30 [840] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))
    0x8A24A638 [1016] C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation, NVIDIA Driver Helper Service, Version 260.99)
    0x8975BDA0 [1068] C:\Program Files\Common Files\Java\Java Update\jucheck.exe (Sun Microsystems, Inc., Java(TM) Update Checker)
    0x89974718 [1072] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
    0x89979800 [1160] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
    0x8987E9E0 [1256] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
    0x898E7260 [1380] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
    0x8993E768 [1456] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
    0x8A3C4620 [1464] C:\WINDOWS\system32\alg.exe (Microsoft Corporation, Application Layer Gateway Service)
    0x89945B28 [1616] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
    0x8994ABC0 [1688] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
    0x89437668 [1736] C:\Documents and Settings\Gavin\My Documents\Downloads\RKUnhookerLE.EXE (UG North, RKULE, SR2 Overlord)
    0x8987DDA0 [1800] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc., MobileDeviceService)
    0x8A3C5460 [1824] C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation, Run a DLL as an App)
    0x8980A9F0 [1852] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp., Realtek HD Audio Control Panel)
    0x89930DA0 [1868] C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc., Bonjour Service)
    0x8A598800 [1892] C:\Program Files\Ask.com\Updater\Updater.exe (Ask, Ask Updater)
    0x8A331DA0 [1924] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc., Java(TM) Update Scheduler)
    0x898DE880 [1952] C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc., Java(TM) Quick Starter Service)
    0x8A59CDA0 [1992] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
    0x897573E0 [2012] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc., iTunesHelper)
    0x8A57B798 [2028] C:\Documents and Settings\Gavin\Application Data\MediaWmplay\FlashPlugin\FlashUtil246_ActiveX.exe
    0x89813DA0 [2056] C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc., McAfee Security Scanner Scheduler)
    0x8A2978F8 [2144] C:\Program Files\PartyGaming\PartyGaming.exe (-, PartyGaming MFC Application)
    0x8970CDA0 [2284] C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation, Windows Security Center Notification App)
    0x89928020 [2420] C:\Program Files\Mozilla Firefox\plugin-container.exe (Mozilla Corporation, Plugin Container for Firefox)
    0x8A39D890 [3184] C:\Program Files\iPod\bin\iPodService.exe (Apple Inc., iPodService Module (32-bit))
    0x8967AA08 [3284] C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation, Firefox)
    ==============================================
    >Drivers
    ==============================================
    0xB73B5000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 9625600 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 260.99 )
    0xB4A05000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 6397952 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
    0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 6361088 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 260.99 )
    0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
    0x804D7000 PnpManager 2154496 bytes
    0x804D7000 RAW 2154496 bytes
    0x804D7000 WMIxWDM 2154496 bytes
    0xBF800000 Win32k 1859584 bytes
    0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
    0xB7E05000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
    0xB47FA000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
    0xB716F000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
    0xB4905000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
    0xB35A3000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
    0xB72D9000 C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys 270336 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
    0xB2D6E000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
    0xB726D000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
    0xB7F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
    0xB3816000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
    0xB7DD8000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
    0xB21FE000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
    0xB486A000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
    0xB733E000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
    0xB48B7000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
    0xB7F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
    0xB48DF000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
    0xB49E1000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
    0xB737D000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
    0xB731B000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
    0xB4895000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
    0x806E5000 ACPI_HAL 134400 bytes
    0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
    0xB7EBB000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
    0xB7F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
    0xB7DBE000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
    0xB7F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
    0xB47A9000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
    0xB7EF3000 jraid.sys 98304 bytes (JMicron Technology Corp., JMicron JMB36X RAID Driver)
    0xB7EDB000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
    0xB7E92000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
    0xB72AE000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
    0xB3739000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
    0xB72C5000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
    0xB73A1000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
    0xB495E000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
    0xBD000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
    0xB7EA9000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
    0xB7F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
    0xB729D000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
    0xB47C1000 C:\WINDOWS\System32\Drivers\Udfs.SYS 69632 bytes (Microsoft Corporation, UDF File System Driver)
    0xB8288000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
    0xB82A8000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
    0xB80C8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
    0xB82B8000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
    0xB81B8000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
    0xB8178000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
    0xB8298000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
    0xB71ED000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
    0xB8168000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
    0xB80D8000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
    0xB80A8000 tgywhy.sys 57344 bytes
    0xB8118000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
    0xB82C8000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
    0xB80F8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
    0xB82E8000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
    0xB81C8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
    0xB8278000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
    0xB80E8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
    0xB82D8000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
    0xB80B8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
    0xB8148000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
    0xB8308000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
    0xB22E9000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
    0xB8108000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
    0xB81E8000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
    0xB8268000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
    0xB375E000 C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
    0xB82F8000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
    0xB81A8000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
    0xB8198000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
    0xB8468000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
    0xB8470000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
    0xB83F8000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
    0xB8410000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
    0xB8450000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
    0xB8328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
    0xB8400000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
    0xB8430000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
    0xB8438000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
    0xB83F0000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
    0xB8458000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
    0xB8440000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
    0xB8460000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
    0xB8330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
    0xB8420000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
    0xB8428000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
    0xB8418000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
    0xB8478000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
    0xB5023000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
    0xB3BA3000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
    0xB7D82000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
    0xB3A93000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
    0xB85A0000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
    0xB84B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
    0xB49D5000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
    0xB5037000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
    0xB5033000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
    0xB85A4000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
    0xB7163000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
    0xB85DE000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
    0xB85AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
    0xB85E4000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
    0xB85DC000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
    0xB85A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
    0xB85E0000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
    0xB8612000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
    0xB85E2000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
    0xB85D4000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
    0xB85D8000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
    0xB85AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
    0xB876C000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
    0xB87B6000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
    0xB87FF000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
    0xB8670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
    ==============================================
    >Stealth
    ==============================================
    ==============================================
    >Files
    ==============================================
    !-->[Hidden] C:\Documents and Settings\Gavin\Application Data\Macromedia\Flash Player\#SharedObjects\UAFH9AF4\player.onescreen.net\1.6\s\MediaPlayer.swf\OsMediaPlayerId.sol
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\637MIYNU\logCALTDC9R.gif
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\PG4AG8R1\log[10].gif
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\PG4AG8R1\log[9].gif
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\UERM2D7K\1005080_DA_MjM0MjA1NjA=[1].mp4
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\UERM2D7K\as=250955[1].mjs
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\UERM2D7K\behealthydaily_300x250[1].jpg
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\UERM2D7K\log[10].gif
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\UERM2D7K\log[11].gif
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\UERM2D7K\log[8].gif
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\UERM2D7K\log[9].gif
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\YA6D8N37\1004400_DA_MjEwOTQ0ODA=[1].jpg
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\YA6D8N37\1004400_DA_MjExODMwMDA=[1].jpg
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\YA6D8N37\1004400_DA_MjEyMzU4MDA=[1].jpg
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\YA6D8N37\1004400_DA_MjEyNDIzMDA=[1].jpg
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\YA6D8N37\2340200[1].xml
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\YA6D8N37\ads[3].htm
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\YA6D8N37\as=250956[2].mjs
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\YA6D8N37\as=412383[1].js
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\YA6D8N37\logCA0JB6RJ.gif
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\YA6D8N37\logCA3XS333.gif
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\YA6D8N37\logCANJHXGG.gif
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\YA6D8N37\logCARNOZ34.gif
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\YA6D8N37\session[1].js
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\YA6D8N37\session[2].js
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temporary Internet Files\Content.IE5\YA6D8N37\tpas1[3].xml
    !-->[Hidden] C:\Documents and Settings\Gavin\Local Settings\Temp\fla62.tmp
    ==============================================
    >Hooks
    ==============================================
    ntkrnlpa.exe+0x0006ECEE, Type: Inline - RelativeJump 0x80545CEE-->80545CF5 [ntkrnlpa.exe]
    [2028]FlashUtil246_ActiveX.exe-->advapi32.dll-->RegOpenKeyExW, Type: IAT modification 0x00411000-->00000000 [unknown_code_page]
    [2028]FlashUtil246_ActiveX.exe-->advapi32.dll-->RegOpenKeyW, Type: IAT modification 0x00411004-->00000000 [unknown_code_page]
    [2028]FlashUtil246_ActiveX.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00411014-->00000000 [unknown_code_page]
    [2028]FlashUtil246_ActiveX.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x00411010-->00000000 [unknown_code_page]
    [2144]PartyGaming.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Inline - PushRet 0x7C84495D-->EC810004 [unknown_code_page]
    [2420]plugin-container.exe-->user32.dll-->TrackPopupMenu, Type: Inline - RelativeJump 0x7E46531E-->105D6996 [xul.dll]
    [3284]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->0040131F [firefox.exe]
    [552]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
    [552]explorer.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
    [552]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
    [552]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->5CB77774 [shimeng.dll]
    [552]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
    [552]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
    [552]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D931480-->5CB77774 [shimeng.dll]
    [552]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]


    I saved that report using another program called RKunhooker before my PC crashed.
     
  5. BlueRaven

    BlueRaven Brute force & optimism

    Joined:
    Jul 29, 2010
    Messages:
    5,446
    Location:
    2076
    I'm not an expert at this, but it certainly sounds like rootkit behaviour and the "FlashUtil246_ActiveX.exe" import address table code hooks look a bit strange, as does this:
    !-->[Hidden] C:\Documents and Settings\Gavin\Application Data\Macromedia\Flash Player\#SharedObjects\UAFH9AF4\player.onescreen.ne t\1.6\s\MediaPlayer.swf\OsMediaPlayerId.sol

    Perhaps try unhooking those FlashUtil246 entries using RkU and then try running Malwarebytes and/or antispyware again?
     
    Last edited: Nov 27, 2011
  6. OP
    OP
    gdshifty

    gdshifty Member

    Joined:
    Jan 30, 2007
    Messages:
    1,017
    Hrmm my RkU says its not designed to run in safe mode, and alas it gives me an error when i try to use it.

    Have performed a full scan with SuperAntiSpyware but it was still there. Am now trying Malwarebytes but if that doesnt resolve it im really not sure whats next.
     
  7. Reaper_1994

    Reaper_1994 Member

    Joined:
    Mar 24, 2010
    Messages:
    2,040
    Location:
    Townsville, QLD
    A manual deletion of all temp files, don't quote me on where they are.... and the file mentioned by BlueRaven. Try Ccleaner too.

    If that doesn't work then it's coming down to a reload of windows.... :Paranoid:

    Edit:
    One place, i just remebered
    C:\Users\<USER>\AppData\Local\Temp

    Where <USER> is, replace with your user name
     
    Last edited: Nov 27, 2011
  8. BlueRaven

    BlueRaven Brute force & optimism

    Joined:
    Jul 29, 2010
    Messages:
    5,446
    Location:
    2076
    Unfortunately mate, if it's a rootkit-based infection you can run any antivirus you like, as many times as you like, and it still won't pick it up. The rootkit enables code hooks that redirect any 'snooping' around its address space, or just crashes the PC when you try to find and remove it, (at least that's how i understand them to work). Someone else more knowledgable in this kind of thing might be still be able to offer a solution, but I'm out of ideas apart from format/reinstall :(
     
  9. rastascan

    rastascan Member

    Joined:
    Feb 2, 2007
    Messages:
    24
    Location:
    Sydney, Hobbitsville
  10. Redefine

    Redefine Member

    Joined:
    Mar 31, 2002
    Messages:
    441
    Location:
    Bayswater,Victoria
  11. disguisey

    disguisey Member

    Joined:
    Aug 3, 2009
    Messages:
    1,970
    Location:
    under your bed
    Combofix worked for the rootkits for me, had a nasty one where it infected everyone of my browsers and redirected me every time I clicked on a link
     
  12. BlueRaven

    BlueRaven Brute force & optimism

    Joined:
    Jul 29, 2010
    Messages:
    5,446
    Location:
    2076
    hehe, AYRABTU. :lol:

    Sounds like a good tool, I'll remember this one. Thanks for the link. :thumbup:
    I've had some success with Rootkit Unhooker in the past, shame it's not working for the OP. Hopefully one of the aforementioned tools will do it.
    Good luck OP, let us know how you go.
     
  13. OP
    OP
    gdshifty

    gdshifty Member

    Joined:
    Jan 30, 2007
    Messages:
    1,017
    Thanks for this reply. TDDDkiller came up with nothing, but Gmer has got 5 results. Only trouble is, I dont know what to do next.

    As you can see in the pic below, there are only options of scan, copy, save. Any advice on what to do next.

    [​IMG]
    Click to view full-sized image!
    Hosted by UGBox Image Store
     
  14. ICEW0LF

    ICEW0LF Member

    Joined:
    Oct 17, 2007
    Messages:
    660
    Location:
    Canberra
    last resort is combofix

    most of the programs i sweep infected machines with have been mentioned already

    i don't like to use combofix but give that a go before you resort to a reformat

    haven't used gmer so cant tell you how to run it
     
  15. Ninja_Harbinger

    Ninja_Harbinger Member

    Joined:
    Jun 2, 2011
    Messages:
    1,032
    Location:
    A warp pipe near you
    eww xp :sick:

    +1 for the reinstall if its a big problem... copy all of your data to another drive and do a fresh install

    P.S. Use windows 7, it looks less crap...
     
  16. damo13579

    damo13579 Member

    Joined:
    Oct 21, 2008
    Messages:
    1,313
    Location:
    Tas
    i had a similar issue around 2 years ago. spent ages trying to fix it, ended up giving up and installing windows 7.
     
  17. OP
    OP
    gdshifty

    gdshifty Member

    Joined:
    Jan 30, 2007
    Messages:
    1,017
    final outcome: Format and install of windows 7.

    Problem resolved.
     
  18. Cask

    Cask Member

    Joined:
    Nov 30, 2011
    Messages:
    759
    Location:
    Gold Coast

    Sadly a format is usually the best (slightly painless) way to get rid of a rootkit
     
  19. BlueRaven

    BlueRaven Brute force & optimism

    Joined:
    Jul 29, 2010
    Messages:
    5,446
    Location:
    2076
    Bummer. Oh well, enjoy your nice quick new clean install. :)

    My current install has been mangled over about eighteen months and is starting to misbehave. :Paranoid:

    I think it's time for an exorcism of my own.:Pirate:
     
  20. trackhappy

    trackhappy Member

    Joined:
    Dec 29, 2009
    Messages:
    2,364
    Location:
    Redbank Plains, QLD, 4301
    This time make sure you're careful. Viruses don't just magically install themselves, there is always some sort of user initiation. Also get Avast. That plus Windows Defender has been all I've ever needed. And it's free.

    Also I noticed you took that screenshot with Hypersnap. That's nothing but crapware. Windows does the same thing and doesn't require payment afterwards. It's called the print screen key. Alternatively you can take a screenshot of the active window by pressing Alt+Print Screen.

    P.S. That Party Poker thing is a bit of a worry, too.
     
    Last edited: Dec 8, 2011

Share This Page

Advertisement: